Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious links within seemingly legitimate payment requests. 

This tactic aims to deceive recipients into opening the invoice, leading to:

• Potential data breaches
• Financial fraud
• Unauthorized access to sensitive information

Cybersecurity researchers at Perception Point recently discovered and analyzed sophisticated malware dubbed “LUMMA” malware.

Basically Sandboxing technology can identify and isolate malicious software with precision and accuracy, protecting the system from potentially harmful malware.

Protect Your Storage With SafeGuard

Is Your Storage & Backup Systems Fully Protected? – Watch 40-second Tour of SafeGuard

StorageGuard scans, detects, and fixes security misconfigurations and vulnerabilities across hundreds of storage and backup devices.

Try StorageGuard for Free

Invoice to Deliver LUMMA Malware

Cybersecurity analysts identified that the attacker, posing as a financial services company in this campaign, tricks the target with a fake invoice email. 

The user is urged to click “View & Download Invoice,” but the provided website is unavailable. To maintain legitimacy, a valid website link is included that redirects users after the failed button click.

The attacker dodges detection using a fake page and a real link. Security scans miss malicious payload hidden behind error pages and innocent URLs. 

Clicking the link redirects to harmful URLs triggering automatic download of malicious files. The attacker breached a legitimate site to host a redirect. 

Besides this, the website code reveals multiple redirects to dangerous URLs, like hxxps://robertoscaia[.]com/eco, downloading malware through the “.exe” file generator.

LUMMA is an InfoStealer malware that is written in C language and spreads through Malware-as-a-Service. 

The attack features three processes, and here below, we have mentioned those processes: –

• 1741[.]exe
• RegSvcs[.]exe
• wmpnscfg[.]exe

Notably, the “1741[.]exe” process runs from the user’s temp folder, raising suspicions due to legitimate programs not using this location.

Processes ‘RegSvcs[.]exe’ and ‘wmpnscfg.exe’ from unusual folders suggest suspicious behavior linked to malware. 

Parent processes with PIDs 1388, 3428, and 1388 add complexity, aiming to hide malicious activities.

Increasingly sophisticated threats demand constant security system evaluation.

This incident highlights the need for advanced prevention, continuous monitoring, and a multi-layered approach to detecting and countering evolving cyber threats.

IOCs

Main object – 3827.exe

• md5 0563076ebdeaa2989ec50da564afa2bb
• sha1 ac14e7468619ed486bf6c3d3570bea2cee082fbc
• sha256 515ad6ad76128a8ba0f005758b6b15f2088a558c7aa761c01b312862e9c1196b

Dropped executable file

• sha256 C:\Users\admin\AppData\Local\Temp\Protect544cd51a.dll dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

DNS requests

• domain taretool[.]pw

Connections

• ip 104[.]21[.]21[.]50
• ip 224[.]0[.]0[.]252

HTTP/HTTPS requests:

• url hxxp://taretool[.]pw/api
• url hxxp://www[.]patrickforeilly[.]com/eco/
• url hxxps://www[.]patrickforeilly[.]com/eco/
• url hxxps://www[.]robertoscaia[.]com/eco/
• url hxxps://fuelrescue[.]ie/eco/
• url hxxps://www[.]7-zip[.]org/a/7zr[.]exe

Experience how StorageGuard eliminates the security blind spots in your storage systems by trying a 14-day free trial.